TL;DR Instead of using Let’s Encrypt, try generating certificates with something like Buypass Go SSL instead. Here’s a guide for Certbot.

In September 2021, Plex reported that certain smart TVs would stop working over secure connections to Plex. For some reason they don’t mention in that post the actual reason why that is.

After a tiny bit of digging, I realized it was related to Let’s Encrypt’s DST Root certificate expiring. Since I didn’t like the idea of just serving “insecure connections”, I thought: “Well, can’t I just use a different CA?”

I had previously explored using a mixture of CAs. Let’s Encrypt is fantastic, but I also don’t like having all my eggs in one basket, so I wanted at least one other alternative.
At some point I found Buypass Go SSL, which seemed to be a good alternative, although with a few downsides:
There’s a limit of 5 domains per certificate and no support for wildcard certificates (unless you pay, of course).

Anyways, the main issue with Let’s Encrypt old root certificate expiring is that their new one isn’t supported in certain “older” devices.
I realized that Buypass certificates don’t really have this problem, which from my understanding is because they’ve been in the certificate bsiness for a while and their current root certificates were issued in 2010.

If you use Certbot, Buypass has a guide on how to generate certificates via Buypass Go SSL.
I personally use acme.sh, which actually its own wiki page on how to generate Buypass certificates.